Answered by:

Turn off "user must change password on first logon" in FIM 2010 Ad workflow

Question

I want to be able to turn off the need for a user to change password on first logon. I am sure I need to use the userAccountControl flag in initial flow, but I do not know what to set this to. Can anyone tell me how I can achieve this ?

also is there another attribute I need to change for this to work normally ?

Answers

Unless you've marked a password never to expire, the pwdLastSet attribute controls this. The only values you can write to pwdLastSet are 0 (which requires an immediate reset) and, if the current value is already 0, assigning -1 will set it to the current
time, effectively delaying the user's next password reset as if they had just updated it. It is not possible to write arbitrary values into pwdLastSet.

If you really want non-expiring passwords--although this is not good security practice--refer here as a reference to userAccountControl's various bit flags: http://support.microsoft.com/kb/305144

All replies

Unless you've marked a password never to expire, the pwdLastSet attribute controls this. The only values you can write to pwdLastSet are 0 (which requires an immediate reset) and, if the current value is already 0, assigning -1 will set it to the current
time, effectively delaying the user's next password reset as if they had just updated it. It is not possible to write arbitrary values into pwdLastSet.

If you really want non-expiring passwords--although this is not good security practice--refer here as a reference to userAccountControl's various bit flags: http://support.microsoft.com/kb/305144

Let user login to a system via ADFS , since I am sending them in via that I cannot have them change the password on first logon. When they login with the created and emailed password they can use the OTPR SSPR feature to change the password to a more "friendly"
password.

Their passwords will expire, but i will handle that propblem with notifications later.

So I was sure I needed to set the userAccountControl flag to try this, but thanks, I will try using the -1 as an initial flow and see what is the result.

pwdLastSet is a 64-bit signed integer field in AD; I've never tried to assign to it from a Portal rule or action--only LDAP--so stringifying it is probably worth a try, but I can't anticipate whether that'll work or not. Experience suggests that
the FIM Sync engine will refuse to see it as anything other than numeric.

Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.